You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

D3d9caps.dat Being Updated In Standby

Hi, I have been trying to fix some problems, and most of them seem to be gone, but I still have a nagging problem. There is a file, c:\windows\system32\d3d9caps.dat, that seems to be updated about once a second if the computer is in standby for a while with a user logged in. I have run a bunch of stuff (smitfraudfix, combofix, various online scans, etc.) and did not really have much infected, but this file still updates in the background. Online searches indicate others who are infected with something also have this file. I have some opinions that say it's part of Direct3D, but there is no 3D stuff running that I know of. I am not a big gamer either.
I am running WinXP Pro SP2, fully patched, 3GB RAM, etc. Zone Labs Internet Security Suite for AV/AS/FW/etc.
I have 4 other computers and none of them have this file, even a gaming machine.
Any ideas on what I should look for? Other scans to run?
Thanks for any advice you have to offer.
Jman9

BC AdBot (Login to Remove)

See if you can upload the file to Jotti or Virus Total. The name implies that the file is part of DirecX, however, it could be a ZLOB Trojan variant. None of my XP, 2000, or NT machines have this file anywhere. They all have the latest version of DirecX. The only way I know to be sure about this file is to scan with several malware programs.

When doing a search on the net for d3d9caps.dat, you will find a lot of reports about it. The file shows up on numerous systems and is suspected to be part of DirectX Direct3D. I have not been able to confirm that but from what I'm finding, the file does not appear to be malware related either.

Thanks for the good ideas. Jotti and VirusTotal both found nothing in the file (it's only 5416 bytes long). I also found lots of references to the file name on the web, and I don't think it's part of Direct3D. It's only on this computer.
I did find some interesting things about it since I posted.
It seems that Juice 2.2 is downloading new podcasts on a certain schedule. When it does, and hands the file off to iTunes, and the computer is in standby, then this file is created and updated. It seems to be connected to iTunes trying to find cover artwork for the podcast. It's possible that the network communications is down during standby, so the update does not happen until the user logs back in and the connection is restored. I have moved all my podcast updates to iTunes directly and eliminated the automatic checking, which (so far) seems to have kept this file from updating.
However, a quick log check shows at least a few more cases of the file being updated, so I guess I will have to investigate further. It may just be tied to any time iTunes tries to update cover artwork.
Jman9

Found some more interesting stuff. After eliminating Juice from the equation, now the file is also being updated when the screen saver starts to run (I'm just using a blank, nothing fancy). It doesn't happen every time. Also, sometimes the computer freezes up and I can't do anything. It appears to be happening at random times, according to the GoBack restore log. Still troubleshooting... will keep you all informed if something interesting comes up.
Jman9